(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 


(19) World Intellectual Property 
Organization 

International Bureau 


lllllllllllllllllllllllllllllllllllllllllllllllllli 


(43) International Publication Date 
3 March 2005 (03.03.2005) 


PCT 


(10) International Publication Number 

WO 2005/020035 A2 


(51) International Patent Classification^: 


(21) International AppUcation Number: 


G06F 


PCT/US2004/029249 

(22) International Filing Date: 20 August 2004 (20.08.2004) 

(25) Filing Language: English 

(26) Publication Language: English 

(30) Priority Data: 

60/496,629 20 August 2003 (20.08.2003) US 

i (71) Applicant (for all designated States except US): ROCK- 

I STEADY NETWORKS, LNC. LUS/USJ; 3410 Far West 

I Blvd., Suite 210, Austin, TX 7873 1 (US). 

■ (72) Inventors; and 

j (75) Inventors/Applicants (for US only): WHITE, I'ric 

I [US/USJ; 1717 Bartoncliff Drive, Austin, IX 7870'1 

: (US). TURLEY, Patriclc [US/US]; 1820 Treadwell Lane, 

1 Austin, TX 78704 (US). 

! (74) Agent: AKMAL, Ariyeh; Sprinkle IP Law Group, P.O. 

I Box 684767, Austin, TX 78768-4767 (US). 


(81) Designated States (unless otherwise indicated, for every 
kind of national protection available): AE, AG, AL, AM, 
AT, AU, AZ, BA, BB, BG, BR, BW, BY, BZ, CA, CH, CN, 
CO, CR. CU, CZ, DB, DK, DM, DZ, EC, EE, EG, ES, El, 
GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, IP. KE, 
KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA, MD, 
MG, MK, MN, MW, MX, MZ, NA, Nl, NO, NZ, OM, PG, 
PH, PL, PT, RO, RU, SC, SD, SE, SG, SK, SL, S Y, TJ, TM, 
TN, TR, TT, TZ, UA, UG, US, UZ, VC, VN, YU, ZA, ZM, 
ZW. 

(84) Designated States (unless otherwise indicated, for every 
kind of regional protection available): ARIPO (BW, GH, 
GM, KE, LS, MW, MZ, NA, SD, SL, SZ, TZ, UG, ZM, 
ZW), Eurasian (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), 
European (AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, H, 
FR, GB, GR, HU, IE, IT, LU, MC, Nl., PL, PT, RO, SR, SI, 
SK, TR), OAPI (BF, BJ, CF, CG, a, CM, GA, GN, GQ, 
GW, ML, MR, NE, SN, TD, TG). 

Published: 

— without international search report and to he republished 
upon receipt of that report 

For two-letter codes and other abbreviations, refer to the "Guid- 
atice Notes on Codes and Abbreviations " appearing at the begin- 
ning of each regular issue of the PCT Gazette. 


^ (54) Title: SYSTEM AND METHOD FOR PROVIDrNC, A SF.CTmL CONNECTION BETWEEN NETWORKED COMPUTERS 

i?i 

O (57) Abstract: Systems and methods for providing a secure connection between networked computers are disclosed. A computer 
O may make a request for a secure connection to another networked computer. In response, configuration data may be sent to the 
^ requesting computer which configures a protocol on the requesfing computer and estabUshes a secure connection with the other 
^ networked computer. This configuration data may advantageously utilize protocole inherent to particular operating systems to setup 
^ and establish this secure connection in an automated fashion, and may include a controller designed to both automatically configure 
such a protocol and automatically establish a secure connection using the protocol. 
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DESCRIPTION 

SYSTEM AND METHOD FOR PROVIDING A SECURE CONNECTION BETWEEN 
NETWORKED COMPUTERS 

5 TECHNICAL FIELD OF THE INVENTION 

The invention relates in general to methods and systems for computer connectivity, and more 
particularly, to methods and systems for establishing and providing secure connections between 
computers. 

10 BACKGROUND OF THE INVENTION 

The use of computer networks to store data and provide information to users is increasingly 
common. In fact, in many cases it may be necessary for a computer to be connected to a specific 
network to retrieve data desired or needed by a user. To connect to a specific network, a user at a 
client computer may utilize a network connection, such as the Internet, to connect to a computer 

1 5 belonging to the network. 

The Internet is a loosely organized network of computers spanning the globe. Client computers, 
such as home computers, can connect to other clients and servers on the Internet through a local 
or regional Internet Service Provider ("ISP") that further connects to larger regional ISPs or 
20 directly to one of the Internet's "backbones." Regional and national backbones are interconnected 
through long range data transport connections such as satellite relays and undersea cables. 
Through these layers of interconnectivity, each computer connected to the Internet can connect to 
every other (or at least a large percentage) of other computers on the Internet. Utilizing the 
Internet, a user may connect to any of the networks within the Internet. 

25 

The arrangement of the Internet, however, presents a whole host of security concerns. These 
concerns revolve mainly around the fact that communications between a client computer and a 
server computer residing in a remote network may travel through a wide variety of other 
computers and networks before arriving at their eventual destinations. If these communications 
3 0 are not secured, they are readily accessible to anyone with a basic understanding of network 
communication protocols. 


35 


To alleviate these security concerns, a virtual private network or VPN may be established 
between a client computer and another network. A VPN may allow private and secure 
communications between computers over a public network, while maintaining privacy through 
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the use of a tunneling protocol and security procedures. These tunneling protocols allow traffic 
to be encrypted at the edge of one network or at an originating computer, moved over a public 
network like any other data, and then decrypted when it reaches a remote network or receiving 
computer. This encrypted traffic acts like it is in a tunnel between the two networks or 
5 computers: even if an attacker can see the traffic, they cannot read it, and they cannot change the 
traffic without the changes being seen by the receiving party and therefore being rejected. 

VPNs are similar to wide area networks (WAN), but the key feature of VPNs is that they are able 
to use public networks like the Internet rather than rely on expensive, private leased lines. At 
1 0 they same time, VPNs have the same security and encryption features as a private network, while 
adding the advantage of the economies of scale and remote accessibility of large public networks. 

VPNs today are set up a variety of ways, and can be built over ATM, frame relay, and X.25 
technologies. However, the most popular current method is to deploy IP-based VPNs, which 
1 5 offer more flexibility and ease of connectivity. Since most corporate intranets use IP or Web 

technologies, IP-VPNs can more transparently extend these capabilities over a wide network. An 
IP-VPN link can be set up anywhere in the world between two endpoints, and the IP network 
automatically handles the traffic routing. 

20 A VPN, however, is not without its flaws. First of all, to establish a VPN, both computers must 
utilize identical VPN protocols. As there are a wide variety of VPN protocols in use, such as 
PPTP, IPsec, L2TP etc. this is by no means guaranteed. If identical protocols are not originally 
on one or more of the computers, identical protocols must be installed on both of these systems 
before a VPN may be established. 

25 

Additionally, even if the computers are running the same protocol, this protocol may still have to 
be manually setup and configured. In many cases, every time a remote user wishes to establish a 
VPN with a computer over an existing network he must bring up the VPN protocol he wishes to 
use and properly configure it to work with the remote computer or network he wishes to access. 

30 

These installation and configuration issues may present problems to someone who is not well 
versed in the area of network protocols, and may even present problems for those who are 
familiar with these protocols, as typically a remote user must configure his computer without 
access to the gateway to which he wishes to connect. 


35 
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Even more problematic, however, is that setting up a VPN still presents security issues. Almost 
universally, a gateway at a remote network is not going to establish a VPN with a random remote 
computer. In most cases, the remote gateway requires a usemame and a password before it will 
establish a VPN connection. This username and password is sent from the remote user in an 
5 unsecured form, or encrypted using a weak encryption algorithm. As this username and 

password are easily snooped by malicious users of a public network, a security hole exists within 
the very process of trying to create a VPN to provide greater security. 

Thus, a need exists for more secure methods and systems for establishing a secure connection 
1 0 between computers which require minimum amounts of manual configuration. 

SUMMARY OF THE INVENTION 

Systems and methods for establishing or providing a secure connection between networked 
computers are disclosed. A computer may make a request for a secure connection to another 

1 5 computer. In response, configuration data may be sent to the requesting computer. This 

configuration data may execute on the requesting computer in order to create a secure connection 
between the two computers. Using this secure connection, data may be passed between the two 
computers with a greater degree of privacy. 

Furthermore, protocols inherent to particular operating systems may be utilized to setup and 

2 0 establish a secure connection between networked computers in an automated fashion, requiring 

no manual intervention or configuration by the user of a computer. The configuration data sent 
to the requesting computer may automatically configure a protocol on the requesting computer 
and automatically establish a secure connection with another networked computer. 

In one embodiment, a connection is requested in a first protocol, data is sent in response to the 
2 5 request, a second protocol is configured using the data and a secure connection is established 

using the second protocol. 

In another embodiment, the first protocol is HTTPS. 
30 In yet another embodiment, the data is sent using the first protocol. 


In other embodiments, the request for the connection includes a usemame and a password. 
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In still other embodiments, data is sent only if the usemame and password are verified. 

In yet other embodiments, the data includes a controller. 

5 In some embodiments, the controller is an Active X controller. 

In a particular embodiment, the data includes a credential and the secured connection is 
established using the credential. 

10 In one embodiment, the credential is dynamically generated in response to the request and 
includes a password and a usemame. 

In additional embodiments, the credential is valid only for the duration of the secure connection. 

1 5 In other embodiments, the second protocol is PPTP and is configured automatically using the 

controller. 

In one embodiment, the secure connection is established automatically using the controller. 

20 These, and other, aspects of the invention will be better appreciated and understood when 

considered in conjunction with the following description and the accompanying drawings. The 
following description, while indicating various embodiments of the invention and numerous 
specific details thereof, is given by way of illustration and not of limitation. Many substitutions, 
modifications, additions or rearrangements may be made within the scope of the invention, and 

2 5 the invention includes all such substitutions, modifications, additions or rearrangements. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The drawings accompanying and forming part of this specification are included to depict certain 
aspects of the invention. A clearer impression of the invention, and of the components and 
30 operation of systems provided with the invention, will become more readily apparent by referring 
to the exemplary, and therefore nonlimiting, embodiments illustrated in the drawings, wherein 
identical reference numerals designate the same components. Note that the features illustrated in 
the drawings are not necessarily drawn to scale. 

3 5 FIGURE 1 includes an illustration of exemplary architecture for use in describing various 
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embodiments of the systems and methods of the present invention. 

FIGURE 2 includes a flow diagram of one embodiment of a method for establishing a secure 
connection between two computers. 

5 

FIGURE 3 includes a representation of applying an embodiment of a method for establishing a 
secure connection to portions of the architecture depicted in FIGURE 1 . 

FIGURE 4 includes a representation of one embodiment of VPN client software. 

10 

FIGURE 5 includes an illustration of another exemplary architecture where embodiments of the 
systems and methods of the present invention may find applicability. 

DESCRIPTION OF PREFERRED EMBODIMENTS 

1 5 The invention and the various features and advantageous details thereof are explained more fully 

with reference to the nonlimiting embodiments that are illustrated in the accompanying drawings 
and detailed in the following description. Descriptions of well known starting materials, 
processing techniques, components and equipment are omitted so as not to unnecessarily obscure 
the invention in detail. It should be understood, however, that the detailed description and the 
20 specific examples, while indicating preferred embodiments of the invention, are given by way of 
illustration only and not by way of limitation. After reading the specification, various 
substitutions, modifications, additions and rearrangements will become apparent to those skilled 
in the art from this disclosure which do not depart from the scope of the appended claims. 

Initially, a few terms are defined to aid the reader in an understanding of the following 

2 5 disclosure. The term "controller" is intended to mean any set of data or instructions operable to 

perform certain tasks or a combination of hardware (such as a processor) and software 
instructions capable of performing a certain task. 

The term "networked" is intended to mean operable to communicate. For example, two 
networked computers are operable to communicate with one another using techniques known in 

3 0 the art, such as via a wireless or wired connection using TCP/IP. Two computers may be 

networked through a variety of networks, sub-networks etc. 

Before discussing embodiments of the present invention, an exemplary architecture for use in 
illustrating embodiments of the present invention is described. It will be apparent to those of 
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ordinary skill in the art that this is a simple architecture intended for illustrative embodiments 
only, and that the systems and methods described herein may be employed with any variety of 
more complicated architectures. Each of the computers depicted may include desktops, laptops, 
PDAs or any other type of device capable of communicating, either via wireless or wired 
5 connection, over a network. Each network depicted, whether they be intranets or any other type 
of network, may include sub-networks or any combination of networks and sub-networks 

FIGURE 1 illustrates just such an exemplary architecture. In FIGURE 1, intranet 100 is a private 
network composed of client computers 110 and server 120. Client computers 110 may be 
coupled to server 120, which is in turn coupled to public network 130, such as the Internet. Client 
1 0 computers 110 may not be coupled directly to public network 130. Therefore, to access public 
network 130, client computers 110 may communicate with server 120, which in turn serves as a 
gateway to public network 130 as is commonly known in the art. Data residing within intranet 
130 may be sensitive. Consequently, server 120 may also serve as a firewall for intranet 110, 
preventing unauthorized users of public network 130 from accessing intranet 110. Remote client 

1 5 computer 140 may also be coupled to public network 130 via a wired or wireless connection, as 

is known in the art. Therefore, remote client computer 140 and server 120 may be capable of 
communication via public network 130. 

Attention is now directed to systems and methods for establishing a secure connection between 
two computers over a network according to one embodiment of the invention. Typically, a user 
20 at a remote client computer wishes to establish a connection with an intranet or a computer 
within an intranet. To accomplish this, the remote client computer and a server computer 
belonging to the intranet may create a VPN so information may be securely transferred between 
the remote client computer and the server computer or other computers within the intranet. To 
securely establish this VPN with a minimum of configuration, the remote client computer may 

2 5 make a request for a VPN connection to the server. In response, the server may send 

configuration data to the remote client computer. This configuration data may execute on the 
remote client computer in order to create a secure VPN connection between the remote client and 
the server. Using this secure connection, data may be passed between server and remote client 
with a greater degree of privacy. 

3 0 These systems and methods may be explained in more detail with reference to the exemplary 

hardware architecture of FIGURE 1. Suppose a user at remote client computer 140 wishes to 
securely interact with intranet 100. To accomplish this, remote client computer 140 can request a 
secure connection from server 120 over network 130. In response, server 120 may send 
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configuration data to remote client computer 140. Using this configuration data, a secure 
connection may be established between remote client computer 140 and server computer 120, 
after which remote computer 140 may interact with computers 110, 120 of intranet 100 as if 
remote computer 140 belonged to intranet 100. 

5 In one particular embodiment, to obtain connectivity between remote client computer 140 and 
server 120 a transient VPN may be established between server 120 and remote client computer 
140 using public network 130. This transient VPN may provide a dynamic, secure connection 
between remote client computer 140 and server 120 by creating a transient VPN endpoint on 
remote client computer 140 that connects through a VPN tunnel to server 120. This VPN 
1 0 connection may be established using a wide variety of VPN protocols, as are known in the art, 
such as PPTP, IPsec, L2TP etc. 

Furthermore, protocols inherent to particular operating systems may be utilized to setup and 
establish a transient VPN endpoint on remote client computer 140 in an automated fashion, 
requiring no manual intervention or configuration by the user of remote client computer 140. For 

1 5 example, suppose remote computer 140 and server are both executing a Windows based 

operating of the type developed by Microsoft, such as WindowsPS, WindowsXP, Windows2000 
etc. As Windows based operating system have the PPTP VPN protocol built into them, this 
protocol may be used advantageously to automatically establish a VPN between remote client 
computer 140 and server 120 if both are executing a Windows based operating system. 

20 Turning now to FIGURE 2, a flow diagram for one method of establishing a secure connection 
between networked computers is depicted. To establish a secure connection between two 
networked computer, the first step may be to ensure that the protocol to be utilized in establishing 
this secure connection is installed on both computers, and if it is not, to install the desired 
protocol on the computer(s) that do not have it (Step 210). For example, if a VPN connection is 

2 5 desired between remote client computer 140 and server computer 120 a wide variety of VPN 

protocols may be used to establish this connection, such as IPsec, L2TP, PPTP, MPLS etc. If, 
however, it is desired to use IPsec and remote client computer 140 does not have the IPsec 
protocol installed or configured, it may be necessary to install the IPsec protocol (Step 210) on 
remote client computer 140 before this particular protocol may be utilized in establishing a VPN 

3 0 connection. This installation may only need to occur once, and may, for example, be 

accomplished by an IT manager responsible for intranet 110 or remote client computer 140. 

At any time after the desired protocol is installed on the computers (Step 210), a secure 
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connection may be requested by one of the computers (Step 220). For example, remote client 
computer 140 may request a secure connection from server computer 120. This request (Step 
220) may be in any format used to communicate over the network connection between the two 
computers, such as FTP, HTTP or HTTPS. In response to this request (Step 220), a response 
5 may be sent to the requesting computer (Step 230). This response (Step 230) may be sent to the 
requesting computer using the same format used in the initial request (Step 220), such as FTP, 
HTTP or HTTPS, and include a set of data designed to establish a secure connection between the 
two computers using a particular protocol. This set of data may comprise a controller configured 
to execute on the requesting computer and a set of credentials to be used in conjunction with the 
1 0 controller. 

The set of data sent in this response (Step 230) may provide information to be utilized by a 
protocol on the requesting computer when connecting to a particular networked computer using 
the protocol (Step 240). This information may include the IP address or host name of a server, 
the authentication domain name, whether MPPC is to be utilized, which call-control and 

1 5 management protocol is to be used, a DNS configuration etc. Providing this information to the 

protocol may be referred to as "configuring a protocol" and that phrase will be used as such 
herein. In some instances, a controller contained in the response to the requesting computer 
executes on the initiating computer and configures the protocol to establish a secure connection 
using the credentials contained in the response (Step 230). 

2 0 After this configuration process (Step 240), a secure connection may be initiated using the 

configured protocol (Step 250), and a secure connection established (Step 260). In some 
instances, a request for a secure connection may be initiated by the same controller responsible 
for configuring the protocol, and include the credentials contained in the sent response (Step 

230). After verifying the credentials a secure connection may be established (Step 260). 

25 It will be clear to those of ordinary skill in the art that the method depicted in the flow diagram of 
FIGURE 2 may be tailored to implement a secure connection between two computers in a variety 
of architectures, and may employ a variety of different protocols for the various communications 
and secure connections. 

30 Note that FIGURE 2 represents one embodiment of the invention and that not all of the steps 

depicted in FIGURE 2 are necessary, that a step may not be required, and that further steps may 
be utilized in addition to the ones depicted, including steps for communication, authentication, 
configuration etc. Additionally, the order in which each step is described is not necessarily the 
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order in which it is utilized. After reading this specification, a person of ordinary skill in the art 
will be capable of determining which arrangement of steps will be best suited to a particular 
implementation. 

5 In fact, embodiments of the methods and systems of the present invention may be particularly 
useful in establishing a secure connection between two computers by automatically configuring a 
protocol built into an operating systems executing on both of the computers, alleviating the need 
for a user to install or configure such a protocol manually. 

1 0 FIGURE 3 depicts one embodiment of a method for automatically establishing a transient VPN 
connection between a remote client computer and a server both executing a Windows based 
operating system containing the point-to-point tunneling protocol (PPTP) for establishing VPNs. 
Remote client computer 140 may send a connection request (Step 220) to server computer 120 
indicating that remote client computer 140 wishes to establish a VPN connection with server 120. 

1 5 This request may be initiated by a user at remote computer 140. Though this request may be 

initiated in a variety of ways, in many instances a user at remote client computer 140 may initiate 
this request using an HTTP client. For example, via an internet browser of the type commonly 
know in the art, such as Netscape or Internet Explorer. 

Using this browser, a client at remote client computer 140 may navigate to a particular URL in a 

2 0 known manner, perhaps by typing it directly into an address window within the browser, 

accessing the URL in his bookmarks file, or navigating to the URL by clicking on an HTTP link 
within a page. By pointing his browser to a particular URL, the user at remote client computer 
140 initiates a connection request to server 120 computer. This URL may also contain an HTML 
form requesting a usemame and password from a user at remote computer 140, in order to 

2 5 authenticate a user at remote computer 140. 

In some embodiments, this connection request (Step 220) is sent from HTTP client on remote 
client computer 140 to server 120 using HTTP. However, to better secure the connection 
request, in other embodiments the connection request from remote client computer 140 to server 
computer is made using HTTPS, which may be sent via an SSL connection between remote 

3 0 client computer 140 and server computer 120. 

In response to the connection request (Step 220) from remote client computer 140, server 
computer 120 may send data to remote client computer 140 which will facilitate the 
establishment of a VPN connection between server and remote client computer (Step 230). If the 
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connection request (Step 220) from remote client computer 140 contained a usemame or 
password, server computer 120 may first authenticate or authorize the requesting user at remote 
client computer 140. Logic on server computer 120 may verify the usemame or password 
submitted in the connection request (Step 220) possibly by authenticating them against a form of 
5 user database (RADIUS, LDAP, etc.). If the user's authentication profile permits, server 120 
may then send a response to remote client computer 140 with the configuration data (Step 230). 
This data may include VPN client software designed to utilize a VPN protocol on remote client 
computer 140 to automatically establish a secure VPN connection between server computer 120 
and remote client computer 140 without any action by the user of remote client computer 140. 

10 In one specific embodiment, the VPN client software is sent to remote client computer 140 using 
HTTPS, and includes a controller designed to establish a secure VPN connection between server 
120 and remote client computer 140, and a set of credentials. These credentials may be session 
specific, and dynamically generated by server computer 120 using a random-seed. Additionally, 
this VPN client software may be digitally signed with an X.509 digital certificate, of the type 

1 5 know in the art, so that remote client computer 140 recognizes that the origin of the VPN client 

software is server computer 120. Once the origin of VPN client software is verified, it may then 
be installed or executed on remote client computer 140 to establish a secure VPN connection. 

FIGURE 4 depicts a block diagram of one embodiment of the client software which may be sent 
from server computer 120 to remote client computer 140 (Step 230). VPN client software 400 

2 0 may include controller 410 designed to configure a protocol on remote client computer 140 and 

establish the VPN connection between server 120 and remote client computer 140. In many 
cases, this controller 410 is designed to utilize a VPN protocol resident on remote client 
computer 140 to establish this connection. This controller may be written in a variety of 
programming or scripting languages as are known in the art, such as C, C++, Java, etc. 

2 5 Once VPN client software 400 is downloaded and controller 410 executed, controller 410 may 
establish a secure VPN connection between remote client computer 140 and server 120. To 
continue with the above example, remote client computer 140 may be executing a Windows 
based operating system, and controller 410 may be an Active X controller designed specifically 
to configure the PPTP bundled in the Windows operating system software. Therefore, once VPN 

30 client software 400 is downloaded to remote client computer 140, Active X controller 410 may 
execute automatically on remote client computer 140, making system library calls to configure 
the PPTP resident on remote client computer 140 as a PPTP client. 
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Using the configured PPTP client, Active X controller 410 may then automatically establish a 
secure VPN connection with server computer 120. This secure connection may be automatically 
established by controller 410 by making additionally system library calls on remote client 
computer 140 to initiate a tunnel request (Step 240) from remote client computer 140 to server 
5 computer 1 20. As noted above, PPTP libraries are installed with most Windows based operating 
systems. Thus, Active X controller executing on remote client computer 140 may configure the 
PPTP to establish a secixre VPN connection with remote server and initiate a tunnel request, 
without any interference or input by a user of remote client computer 140. 

Additionally, in some embodiments, controller 410 may utilize credentials 420 in establishing the 
1 0 secure VPN connection between server computer 120 and remote client computer 140. As 

mentioned above, credentials 420 may have been dynamically generated by server computer 120 
and sent in the response (Step 230) to initial connection request (Step 220). Credentials 420 may 
contain a password and tisemame. Controller 410 may use this usemame and password as 
parameters when establishing the VPN connection between remote client computer and server 

1 5 computer. Credentials may be sent with tunnel request (Step 250) and verified by server 

computer 120 before establishing a VPN connection with remote computer 140. Since server 
computer 120 initially created credentials 420, server may identify the credentials from remote 
client computer 140 and associate a particular VPN connection with a particular remote client 
computer. 

2 0 Credentials 420, including the usemame and password may then be used for the duration of that 

particular session between remote client computer 140 and server computer 140. Once the VPN 
connection between remote client computer and server computer is severed, usemame and 
password may lose their validity, preventing their unauthorized use in the future. 

Embodiments of the systems and methods disclosed will be useful in a variety of architectures, as 

2 5 will be apparent to those of skill in the art after reading this disclosure. FIGURE 5 depicts an 

example of another architecture where these systems and methods might find useful application. 
Wireless router 510 and server 512 may serve as wireless access point 514 to Internet 520, as is 
known in the art. Remote server computers 140 may be wirelessly coupled to server 512 and 
Internet 520 thorough router 510. In this architecture, embodiments of these systems and 

3 0 methods may be utilized to secure wireless communications between remote client computer 140 

and access point 514. 

For example, after remote client computer 140 enters the range of wireless router 510, remote 
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client computer 140 may associate with access point 514. Remote client computer 140 may then 
request a secure connection with server 512 via a browser based interface. Client software 400, 
including controller 410 and credentials 420 may be downloaded to remote client computer 140 
using HTTPS, at which point the controller automatically configures the PPTP on remote client 
5 computer 140 and establish a VPN tunnel between remote client computer 140 and wireless 

access point 514. From this point, wireless communications between remote client computer and 
access point 514 may be made using this VPN tunnel, and are therefore, more secure. 

In the foregoing specification, the invention has been described with reference to specific 

1 0 embodiments. However, one of ordinary skill in the art appreciates that various modifications 

and changes can be made without departing from the scope of the invention as set forth in the 
claims below. Accordingly, the specification and figures are to be regarded in an illustrative 
rather than a restrictive sense, and all such modifications are intended to be included within the 
scope of invention. 

15 

Benefits, other advantages, and solutions to problems have been described above with regard to 
specific embodiments. However, the benefits, advantages, solutions to problems, and any 
component(s) that may cause any benefit, advantage, or solution to occur or become more 
pronounced are not to be construed as a critical, required, or essential feature or component of 

2 0 any or all the claims. 


25 


30 


35 
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CLAIMS 

1. A method for establishing a secure connection between two computers, comprising: 
5 requesting a connection, wherein the request is in a first protocol; 

sending data in response to the request; 
configuring a second protocol using the data; 
establishing the secure connection using the second protocol. 

1 0 2. The method of claim 1 , wherein the first protocol is HTTPS. 

3. The method of claim 2, wherein the data is sent using the first protocol. 

4. The method of claim 3, wherein the request for the connection includes a usemame and a 
1 5 password. 

5. The method of claim 4, wherein the data is sent only if the usemame and password are 
verified. 

20 6. The method of claim 1 , wherein the data includes a controller. 

7. The method of claim 6, wherein the controller is an Active X controller, 

8. The method of claim 6, wherein the data includes a credential. 

25 9. The method of claim 8, wherein the secured connection is established using the 
credential. 

10. The method of claim 9, wherein the credential includes a password and a usemame. 

30 11. The method of claim 8, wherein the credential is dynamically generated in response to the 

request. 

12. The method of claim 11, wherein the credential is valid only for the duration of the secure 
connection. 
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13. The method of claim 6, wherein the second protocol is configured automatically using the 
controller. 

14. The method of claim 13, wherein the second protocol is PPTP. 

5 

15. The method of claim 13. wherein the secure connection is established automatically using 
the controller. 

16. A system for a secure connection between two computers, comprising: 

10 a first computer operable to request a connection, wherein the request is in a first 

protocol; 

a second computer operable to send data in response to the request, wherein the data 
contains instructions operable to configure a second protocol on the first computer and establish 
the secure connection using the second protocol. 

15 

17. The system of claim 16, wherein the first protocol is HTTPS. 

18. The system of claim 17, wherein the data is sent using the first protocol. 

2 0 19. The system of claim 18, wherein the request for the connection includes a usemame and a 

password. 

20. The system of claim 19, wherein second computer is operable to verify the usemame and 
password and send the data only if the usemame and password are verified. 

25 

21. The system of claim 16, wherein the data includes a controller. 

22. The system of claim 21, wherein the controller is an Active X controller. 

3 0 23. The system of claim 21, wherein the data includes a credential. 

24. The system of claim 23, wherein the secured connection is established using the credential. 

25. The system of claim 24, wherein the credential includes a password and a usemame. 
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26. The system of claim 23, wherein second computer is operable to dynamically generate the 
credential in response to the request. 

27. The system of claim 26, wherein the credential is valid only for the duration of the secure 

5 connection. 

28. The system of claim 21, wherein the second protocol is configured automatically by the 
controller. 

1 0 29. The system of claim 28, wherein the second protocol is PPTP. 

30. The system of claim 28, wherein the secure connection is established automatically using the 

controller. 

15 31. A computer readable medium, having data embodied thereon, the data translatable for: 
configuring a protocol on a first computer; and 

establishing a secure connection between the first computer and a second computer using the 
protocol. 

2 0 32. The computer readable medium of claim 31, wherein the data is translatable to implement a 

controller. 

33. The computer readable medium of claim 32, wherein the controller is an Active X controller. 

2 5 34. The computer readable medium of claim 32, wherein the data further include includes a 

credential. 

35. The computer readable medium of claim 34, wherein the secure connection is established 
using the credential. 

30 

36. The computer readable medium of claim 35, wherein the credential includes a password and 
a usemame. 

37. The computer readable medium of claim 32, wherein the protocol is configured 

3 5 automatically by the controller. 
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38. The computer readable medium of claim 37, wherein the protocol is PPTP. 


39. The computer readable medium of claim 37, wherein the secure connection is established 
5 automatically using the controller. 
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